OllyDbg "INT3 AT" Format String Vulnerability
by Piotr Bania <bania.piotr@gmail.com>
http://pb.specialised.info
Original location:
http://pb.specialised.info/all/adv/olly-int3-adv.txt
Severity: High / Medium - code execution.
Version affected: Probably all versions, tested on
v1.10.
I. BACKGROUND
"OllyDbg is a 32-bit assembler level analysing debugger for
Microsoft Windows. Emphasis on binary code analysis makes it
particularly useful in cases where source is unavailable."
II. DESCRIPTION
Vulnerability takes place when module (with special crafted file
name) executes int 3 instruction (trap to debugger).
Here is the vulnerable code:
.text:0042FBE0 lea eax, [ebp+buffer]
.text:0042FBE6 push eax ; format string
.text:0042FBE7 mov edx, [ebp+var_28]
.text:0042FBEA push edx
.text:0042FBEB call sub_42E100 ; _vsprintf->
;___vprinter
Where format is an ascii string like: "INT3 command at
<module_name>.addr".
Attacker can place a format string chars inside "<module_name>"
(part of format buffor) and cause Olly to overwrite arbitary data.
NOTE: Even with "IGNORE INT3 BREAKS" option checked, OllyDbg is
still vulnerable. Attacker can also load some special crafted
module (with special crafted name) while debugging, to make
the attack more stealthy.
III. IMPACT
This vulnerability after successful exploitation can allow the
attacker to run arbitrary code in context of current user.
Of course if the exploitation was not successful OllyDbg will fault
and loose all debugged data.
best regards,
Piotr Bania
--
--------------------------------------------------------------------
Piotr Bania - <bania.piotr@gmail.com> - 0xCD, 0x19
Fingerprint: 413E 51C7 912E 3D4E A62A BFA4 1FF6 689F BE43 AC33
http://pb.specialised.info - Key ID: 0xBE43AC33
--------------------------------------------------------------------
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
